Published inFalconForceFalconFriday — Detecting MMC abuse using “GrimResource” with MDE — 0xFF24Last week, Elastic Security Labs released a blog post detailing the “GrimResource” technique used by both red teams and malicious actors…Jun 28, 2024Jun 28, 2024
Published inFalconForceDeploying Detections at Scale — Part 0x01 use-case format and automated validationAt FalconForce, we have built a large repository of over 350 detection queries. A question we get asked a lot is: “how do you manage and…Mar 13, 20231Mar 13, 20231
Published inFalconForceFalconFriday — Detecting Active Directory Data Collection — 0xFF21Active Directory data collectionNov 11, 2022Nov 11, 2022
Published inFalconForceFalconFriday — Detecting malicious modifications to Active Directory — 0xFF1DRecently, we are seeing more and more threat actors and red teams move to using relay attacks, often combined with the ability of users to…May 13, 2022May 13, 2022
Published inFalconForceDebugging the undebuggable and finding a CVE in Microsoft Defender for EndpointAt FalconForce, we like to understand the tools that we work with. One of the tools we use a lot on the blue side is MDE: Microsoft…Apr 1, 2022Apr 1, 2022
Published inFalconForceFalconFriday — Detecting realistic AWS cloud-attacks using Azure Sentinel — 0xFF1COn January 28th, Christophe Tafani-Dereeper released the open source Stratus Red team attack simulation tool. At FalconForce, we are very…Feb 11, 2022Feb 11, 2022
Published inFalconForceBOF2shellcode — a tutorial converting a stand-alone BOF loader into shellcodeTL;DR — At FalconForce we love purple teaming, meaning that we engage in both red teaming and blue teaming. For the red teaming we often…Nov 5, 2021Nov 5, 2021
Published inFalconForceFalconFriday — Detecting UAC Bypasses — 0xFF16Attackers often require full administrative privileges on a machine to be able to use their full attack capabilities. Many attacks…Aug 20, 2021Aug 20, 2021
Published inFalconForceFalconFriday — Direct system calls and Cobalt Strike BOFs — 0xFF14Direct system calls are a popular technique used by attackers to bypass certain EDR solutions. In this blog we deep-dive into how direct…Jul 23, 2021Jul 23, 2021
Published inFalconForceFalconFriday — Privilege Escalations to SYSTEM — 0xFF13Sometimes, simple queries can be quite effective. One example of that is a rule we recently developed to detect processes that start…Jul 9, 20211Jul 9, 20211
